IonMonkey: Crash [@ EnterIon] with gcPreserveCode

RESOLVED DUPLICATE of bug 763989

Status

()

Core
JavaScript Engine
--
major
RESOLVED DUPLICATE of bug 763989
6 years ago
5 years ago

People

(Reporter: decoder, Unassigned)

Tracking

(Blocks: 2 bugs, {crash, testcase})

Other Branch
x86_64
Linux
crash, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite -

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [jsbugmon:update], crash signature)

Attachments

(1 attachment)

(Reporter)

Description

6 years ago
Created attachment 632698 [details]
Testcase for shell

The attached testcase crashes on ionmonkey revision 71b71dcbf9fe (run with --ion -n -m --ion-eager).
(Reporter)

Comment 1

6 years ago
Valgrind trace:


==22822== Invalid read of size 1
==22822==    at 0x4032177: ???
==22822==    by 0x813237: EnterIon(JSContext*, js::StackFrame*, void*) (Ion.cpp:1110)
==22822==    by 0x813530: js::ion::Cannon(JSContext*, js::StackFrame*) (Ion.cpp:1138)
==22822==    by 0x52A0E4: js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) (jsinterp.cpp:2544)
==22822==    by 0x51B299: js::RunScript(JSContext*, JSScript*, js::StackFrame*) (jsinterp.cpp:286)
==22822==    by 0x51BF4F: js::ExecuteKernel(JSContext*, JSScript*, JSObject&, JS::Value const&, js::ExecuteType, js::StackFrame*, JS::Value*) (jsinterp.cpp:474)
==22822==    by 0x51C1D1: js::Execute(JSContext*, JSScript*, JSObject&, JS::Value*) (jsinterp.cpp:512)
==22822==    by 0x44DEC3: EvaluateUCScriptForPrincipalsCommon(JSContext*, JSObject*, JSPrincipals*, JSPrincipals*, unsigned short const*, unsigned int, char const*, unsigned int, JS::Value*, JSVersion) (jsapi.cpp:5378)
==22822==    by 0x44DF9C: JS_EvaluateUCScriptForPrincipals (jsapi.cpp:5389)
==22822==    by 0x44E181: JS_EvaluateUCScript (jsapi.cpp:5423)
==22822==    by 0x40A995: Evaluate(JSContext*, unsigned int, JS::Value*) (js.cpp:891)
==22822==    by 0x51390A: js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, JS::Value*), js::CallArgs const&) (jscntxtinlines.h:395)
==22822==  Address 0xfffa80000c714fdb is not stack'd, malloc'd or (recently) free'd

Updated

6 years ago
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 763989

Updated

6 years ago
Group: core-security
(Reporter)

Comment 3

5 years ago
A testcase for this bug was already added in the original bug (bug 763989).
Flags: in-testsuite-
You need to log in before you can comment on or make changes to this bug.